Router behind a router = more secure?

[silkstone]

Hi, I have a quick question about network security.

I'm wondering what the best way (security wise) is to set up my routers.

I have a router/modem combo that connects directly to the internet and a separate WiFi network for all my other devices. My main rig is using a wired connection. The WiFi router is more modern and so probably has better firmware.

I have two options of configuration.

1 - Router/modem > WiFi Router - Separate DHCP servers & all connections going through the WiFi router
or
2 - Router/modem + wired connection to main rig > WiFi Router (as an access point using the modem's DHCP server) with everything else connected to the AP (over WiFi)

Does it make a difference security wise?

Thx for any help.

 

[brandonwh64]

really it all determines what you have turned on in terms of firewall settings on the routers. Personally I would not double NAT i could cause issues with online gaming. When I first got home and had charter internet installed, they tried to rent me a router/wifi combo and I told them no due to the fact that I would rather have a standard DOCSIS motorola surfboard so I could use my own style router.

 

[lilhasselhoffer]

The simple answer is no.


The longer answer is that this configuration provides no benefit beyond complexities. Allow me to elaborate.

You've got a certain amount of jumps that data must make in order to get to its target. Let's just say there are three nodes between yourself and the target computer. By having two routers you're likely to have to transfer from one internal network, to another internal network, then to a wide area network. Assuming you were trying to be brute force compromised this would be a good thing. Realistically, brute force hacking is reserved for valuable targets with high security. It's unlikely that you warrant such an attack.

Most compromises for private networks are carried out via known security issues. Firmware may have an exploit, hardware can have a built-in back door, and the most easily compromised component of any system is a user.


If you want real security then you need to do a lot of modifying and customizing on a router. If you've got a consumer router at your house, it's unlikely that you'd have the knowledge to do this.

 

[silkstone]

Most compromises for private networks are carried out via known security issues. Firmware may have an exploit, hardware can have a built-in back door, and the most easily compromised component of any system is a user.


If you want real security then you need to do a lot of modifying and customizing on a router. If you've got a consumer router at your house, it's unlikely that you'd have the knowledge to do this.

So if I had all my computers behind the second router, only the first would need to be compromised before an attacker would have access to computers on my network?

I ran tracert to an external ip, and the latency between the two routers is <1 ms. My average ping is around 250-350 ms when I game anyway.

I'm not amazingly worried about getting hacked or anything, I'm just interested to learn how everything works.

 

[lilhasselhoffer]

So if I had all my computers behind the second router, only the first would need to be compromised before an attacker would have access to computers on my network?

I ran tracert to an external ip, and the latency between the two routers is <1 ms. My average ping is around 250-350 ms when I game anyway.

I'm not amazingly worried about getting hacked or anything, I'm just interested to learn how everything works.

..ok, not sure how best to put this. Please forgive me if I cover anything you already know.

Let's assume this is brute force, and you've someone hell bent on getting access to your computer. They'd first have to either get communication with the router on an open port, or continuously try to crack the password to the router. In the first case, you'd ping the ports for anything open and unsecured and have either a very quick compromise or the understanding that brute force trial would be needed. Let's discount option one, and start assuming that brute force is a necessity.

Brute force attacks are greatly more effective with some sort of guidance (look up rainbow tables to get an idea there), but can just be dumb 00000001, 00000010, 00000011, etc... attacks. Let's again assume that the attack requires brute force only. Compromising that one router gives access to the data stream from any device connected to it. If your PC is connected then the next step is the firewall. If the PC is behind another router you start over with the brute force attack on it. Eventually, you get to the PC. Assuming you're on a trusted network, you're unlikely to have firewalls running on the PCs. No firewall means you're one browser/OS hack away from having a computer compromised.


Boiling all this down, extra router theoretically offer security through increased path distance to a computer. The theory breaks down rather quickly in reality though.


The likelihood of a brute force attack is almost zero. Brute force attacks are easy to detect, bring systems to a halt, and are rarely worth the effort involved. The faster way to attack a computer is to use an exploit. A port left open due to legacy programming, a developer back-door, or even remote commands which reset hardware all exist today. Assuming a little foresight, an inept user who doesn't reset from the default passwords, and a bit of research any idiot could hack a home network that isn't geared up for security. This kind of attack will circumvent pretty much anything put in place to secure the system, and it takes a short period of time.

So shortening this up, one router properly secured trounces two dozen with half-baked security. You don't really need to worry about brute force attacks, at least on a home network. Finally, us users are almost always directly responsible for compromises.

 

[silkstone]

..ok, not sure how best to put this. Please forgive me if I cover anything you already know.

Let's assume this is brute force, and you've someone hell bent on getting access to your computer. They'd first have to either get communication with the router on an open port, or continuously try to crack the password to the router. In the first case, you'd ping the ports for anything open and unsecured and have either a very quick compromise or the understanding that brute force trial would be needed. Let's discount option one, and start assuming that brute force is a necessity.

Brute force attacks are greatly more effective with some sort of guidance (look up rainbow tables to get an idea there), but can just be dumb 00000001, 00000010, 00000011, etc... attacks. Let's again assume that the attack requires brute force only. Compromising that one router gives access to the data stream from any device connected to it. If your PC is connected then the next step is the firewall. If the PC is behind another router you start over with the brute force attack on it. Eventually, you get to the PC. Assuming you're on a trusted network, you're unlikely to have firewalls running on the PCs. No firewall means you're one browser/OS hack away from having a computer compromised.


Boiling all this down, extra router theoretically offer security through increased path distance to a computer. The theory breaks down rather quickly in reality though.


The likelihood of a brute force attack is almost zero. Brute force attacks are easy to detect, bring systems to a halt, and are rarely worth the effort involved. The faster way to attack a computer is to use an exploit. A port left open due to legacy programming, a developer back-door, or even remote commands which reset hardware all exist today. Assuming a little foresight, an inept user who doesn't reset from the default passwords, and a bit of research any idiot could hack a home network that isn't geared up for security. This kind of attack will circumvent pretty much anything put in place to secure the system, and it takes a short period of time.

So shortening this up, one router properly secured trounces two dozen with half-baked security. You don't really need to worry about brute force attacks, at least on a home network. Finally, us users are almost always directly responsible for compromises.

Thanks for the info. I kind of assumed most of the stuff about brute force. I still have a question regarding exploits though. If someone gets access to my first router, does that mean they automatically gain access to the second router and thus all devices connected?

I've secured my router that connects directly to the internet as best I can, and I'm not particularly worried about being hacked although the report of something like 300k routers in VN being compromised did scare me a little . I have uPnP disabled, access to config via LAN only and obviously the firewall is on.

 

[lilhasselhoffer]

Thanks for the info. I kind of assumed most of the stuff about brute force. I still have a question regarding exploits though. If someone gets access to my first router, does that mean they automatically gain access to the second router and thus all devices connected?

I've secured my router that connects directly to the internet as best I can, and I'm not particularly worried about being hacked although the report of something like 300k routers in VN being compromised did scare me a little . I have uPnP disabled, access to config via LAN only and obviously the firewall is on.

No is the short answer. They only gain that as a foothold, and can only begin exploiting things directly connected to that router. If another router is all that is connected then they have to gain access to it before they can begin attacking the attached devices.

Let's take an aside, and imagine your internet as a medieval world. Various roads connect each city, and along these roads people can flow. Each city is protected by a wall, with various gates to allow people to flow in and out. The more affluent cities in fact have an inner and outer wall. Assuming that the people controlling the gates see a person as potentially harmful, they can reject passage and prevent attacks. Also, if a person makes it past the outer wall they don't immediately know what is behind the inner wall. For this knowledge they would have to get past another gate.

Using this analogy, the people are data. Gates are ports, with the people manning the gates being security settings and built-in responses to attack from the router. The router is a wall, and your PCs and devices are what is protected within various parts of the wall. Brute force attacks would be walking up to the wall and wiggling each stone until you found a loose one that you could remove to form a new entrance. Exploits would be dressing up as a different person in order to get into a gate.

 

[brandonwh64]

I would not worry about some hacker targeting you unless you advertise some type of prize "info" on your network. A simple Router with firewall settings should be enough if you set it up properly. If this was a business I would suggest a external firewall such as a fortigate 200 series.

 

[silkstone]

Thanks.

So it is more secure from both exploits and brute force to have router > Router > Computers. An attacker would have to find exploits in both routers before gaining access to a network?

I would not worry about some hacker targeting you unless you advertise some type of prize "info" on your network. A simple Router with firewall settings should be enough if you set it up properly. If this was a business I would suggest a external firewall such as a fortigate 200 series.

I'm not that worried, I just wanted to know the theory as I seem to get conflicting information. I had always assumed that having a router behind a router would be better security-wise.

I am pretty sure that my router would be on the list of those compromised in Vietnam by malware. The malware only changed the primary DNS for the router, so I would still not be immune to this kind of attack if someone gained access to my internet facing router, but it got me thinking more about security.